7 Tough Cybersecurity Interview Questions
Cyber security analyst. Information security specialist. Software security engineer. Chief information security officer. No matter where your interest lies in cybersecurity, your skills are needed. All that stands between you and your dream role, is the job interview.
When meeting with organizations ready to fill cybersecurity positions, you should be prepared to face some tough questions. Employers will want to gauge your practical knowledge, as well as determine whether you can tell the difference between some key cybersecurity concepts (i.e., black hat, white hat, and gray hat hackers). Here are a few questions you can expect to encounter during the interview process.
1. Why did you (or do you) want to get involved in cybersecurity?
Your credentials may demonstrate where you’ve been and what hard skills you’ve developed, but they won’t necessarily show your passion for the cause and your gumption for fighting cyber criminals. Be ready to talk about your strengths in the intangible areas of instinct, sense of duty, morality, and such.
2. Can you describe a time you solved a cybersecurity issue within a team?
Soft skills are sorely needed in cybersecurity, including being able to work as part of a team. Effective cybersecurity means having to solve problems with others, so being able to bring to mind times when you’ve worked as part of a group will be essential. A potential employer will want to know that you can play nicely as a team member, along with being able to critical-think on your own.
Be aware that this may lend itself to another question about any roadblocks you might have encountered while solving a cybersecurity concern. It’s best to highlight how you took positive action within the team, or even led the team, to overcome something such as individual differences of opinion, varying skill levels within the group, or management intervention. Just be careful in discussing how you overcame any management issues so as not to put off an executive-level interviewer.
3. Have you ever experienced a serious breach?
While talking about your problem-solving skills within a team atmosphere, be prepared for this hard-hitting question. Jason Taule, vice president of Standards and CISO at HITRUST, considers this one especially tough because there is no right answer.
“No one wants to admit to having had a breach on their watch, but many times they happen despite one’s best efforts through no fault of the security team or CISO,” Taule says. “On the other hand, a ‘no’ response might suggest the candidate lacks necessary experience to successfully navigate an organization through a major breach.”
Taule’s suggestion: Acknowledge the seeming inevitability of breaches, “but focus on accomplishments in building successful detection capabilities and effective incident response programs, and describing experiences gained handling less severe but otherwise reportable events instead.”
4. How do you stay on top of industry trends and changes?
This question is designed to test your industry knowledge. Is it relevant and up to date? Here, a generic answer won’t cut it. Instead, offer up some specific news websites, security forums, podcasts, or blogs, and provide an example of a recent trend and where you read about it.
This is a great time to talk about your cybersecurity education—particularly an advanced degree, and any immersive learning experiences you have. You can speak about the need for constant learning in cybersecurity, and how your degree helps achieve this.
5. What can you tell me about security within my company?
You should definitely expect a question along these lines. It’s normal for any business to check that a candidate has researched them and understands what product or service they offer. A potential employer will want to see that you have knowledge of the type of technology they’re using and any other information you can gather.
Take it from CSO Online’s George V. Hulme, who advises that you should try to understand what language(s) the company uses. Anything you can offer up during an interview will add to your credibility.
6. Can you describe a complex cybersecurity concept in easy-to-understand language?
One of the most sought-after skills in cybersecurity is the ability to communicate a complex topic in a simplified way. As Tim Heard at the Infosec Institute writes, being able to grasp the “big picture” and deliver information that’s key to specific stakeholders, while disregarding unessential information, is a highly desired trait. To build these soft skills, consider investing in a Master’s degree in Cybersecurity (if you don’t already have one) through which you can learn how to easily communicate complex cybersecurity issues and techniques.
7. What is a pen test and can you explain the process of pen testing?
You may not get this exact question, but as IT security risk manager Adriano Leite of Cliffside Security explains, you’re likely to receive many questions about specific test protocols and be asked to take the interviewer through a specific process. Not only should you have processes like penetration testing down pat, but you should also know other types of technical details—such as encryption, basic coding, and patch management—and be able to apply your knowledge to real-world scenarios based on the level of expertise wanted. The ability to describe how you would defend an organization against a threat will be a definite plus.
When it comes to cybersecurity know-how, you can’t be too prepared for any interview question. Learn as much detail about the industry as possible, and be ready to relate everything you know back to practical examples for the interviewer.
10 Most Desired Traits for Cyber Security Job Candidates
Finding a good candidate, or possibly any candidate, to fill one of the thousands of open cybersecurity positions available is one of the greatest challenges facing security executives today.
So with that in mind, we asked some of the top names in the industry what traits they look for in a job applicant. Here are the top ten most desired cybersecurity traits:
1. Continuous Learner
Shamla Naidoo, Chief Information Security Officer, IBM
“The cybersecurity landscape is evolving continuously and rapidly, and therefore the most important quality I look for in a security hire is someone who can do the same – someone with a natural curiosity that will lead to continual learning. The security workforce needs people who will be a part of inventing the solutions that will keep us safe not only today but in the future.
For me, it’s about hiring someone who has intellectual depth but is willing to learn from others, without ego – not just experience to perform the role. I look for demonstrable willingness to learn new things and think outside of the box, with specific examples of where they’ve done this successfully in the past.”
Reg Harnish, CEO of GreyCastle Security
“The most important quality I look for when hiring new talent is persistence. Are they determined? Do they have the gumption to do the job right? In the cybersecurity world, the problems people face are not only ever-changing, but also very difficult to start with, so persistence is key.
Additionally, a certain level of persistence requires confidence, which is a must in this industry, as security consultants have to deal with the full gamut of employees, from CEOs and board-level executives to end users. There’s no time to second guess yourself.”
3. Curious and Perceptive
Renee Walrath, Founder of Walrath Recruiting
“To work in cybersecurity, curiosity is an absolutely essential trait. Anyone who gets comfortable in fighting off threats in the same fashion will quickly be outdated, and subject to breaches. To be successful you have to be curious, and seek out new weaknesses before they become weaknesses. A cybersecurity professional needs to be a continuous learner to stay one step ahead of external threats. Proactively learning and updating systems is the only way to stay ahead.”
Perceptive- “A good cyber security professional needs to see problems from both sides. They have to be in the mindset of the company, thinking of what they want to protect. They also have to look through the lens of an external threat and perceive any weaknesses or places to attack. Having both perspectives will make it easier to build a strategy to defend against an external threat.”
4. Cerebral, Instinctive and Emotional
Chris Drake, CEO Armor
“The dynamic nature of cybersecurity dictates that a person will need to wear a variety of hats and excel in diverse areas to be successful. While tangible skills like these are critical, there are several intangible characteristics that can serve as the foundation for rising above the crowd, including:
- Cerebral – intelligence, process and reason
- Instinctive – innate desire, awareness, quick thinking
- Emotional – heart, passion, sense of duty, pride, morality, justice
It doesn’t stop there, however. Working in cybersecurity is different from other sectors of IT. There is a tremendous amount of collaboration across various disciplines, which requires qualities that might not be as significant in other IT roles. This includes attributes such as creativity, confidence, focus, reliability and humility. Interestingly, we’ve found that those with musical talent have an innate ability to synchronize these skills and emerge as a solid security expert.”
5. Having a well-rounded skillset
Scott Laliberte, managing director, Protiviti
“These skills range from cyber governance and related soft skills to technical skills, such as penetration testing, hardware/ IOT security, industrial control system security, secure development and code review, network security, identity and access management, etc. The ability to communicate issues in non-technical terms that business people can understand. This is a key attribute in attaining leadership positions in this field.
Finding a candidate that has a balance of strong technical skills, business acumen and communication aptitude is extremely rare, but those candidates will go very far.”
6. Can work under the gun, attention to detail
Michael Potters (right), the CEO of Glenmont Group
“The ability to work at speed, under pressure, to make decisions in real time and with reliable accuracy and to be able to work in a global environment and drive change.”
7. Think like a black hat
Domini Clark, principal, Blackmere Consulting
“The ability to think like a ‘bad guy’ enables security professionals to anticipate what hackers might try, and to identify weak points in system defenses. This ability is sometimes lovingly referred to as the ‘evil bit’ (as in bits and bytes) which seems to be coded into the personalities of many industry superstars.”
Tim Erlin, VP, Tripwire
“Being analytical, curious and a good communicator are just some of the attributes that make a good cybersecurity professional. If you have the right systems in place, there is no reason not to hire someone who has these skills and teach them the technical skills later. There is an abundance of IT talent that wants to break into this sector and there are many diamonds in the rough that can be mentored and nurtured into future stars. Moving forward, we need a change in mindset quickly otherwise this issue will scale out of hand.”
We know that companies are seeking the perfect candidate who has 5-10 years’ experience and several certifications for an entry-level position. This is an impractical and damaging approach to hiring as we are substantially restricting the pool of potential candidates.
9. Military veteran
Stephan Tallent, senior director of managed security service providers, Fortinet
“They have the proven ability to learn new skills and concepts, which makes them ideal candidates. And many have been trained in the use of some of the most advanced technologies in the world. Performance under pressure is another big differentiator for veterans. They have a capacity to accomplish priorities on time and they know the critical importance of staying with a task until it is done right. And like active military duty, cybersecurity is detail- and process-oriented, often with extreme consequences for failure.
Additionally, military duties involve a blend of individual and group productivity, they can function as both a highly effective team operator as well as an individual contributor. As a bonus, many veterans come with highly sought-after security clearances already in place.”
10. Willingness to continuously develop skills
Rob Clyde, ISACA Board Member
“About 70 percent of organizations require cyber-security applicants to have a cyber-security certification. Therefore, an increased emphasis on and investment in training and professional development is a must. Hiring personnel and giving them the chance to develop that experience would go a long way toward raising cyber capabilities across all industries. While having a realistic sense of cyber professionals’ market value is a must, investment in professional development opportunities and job rotation to help round out skills and minimize frustration with repetitive tasks also can incentivize employees to stay for longer periods.
Retaining and providing professional development to employees help organizations be prepared to meet cyber-security challenges head-on.”